From owner-freebsd-isp Wed Nov 29 17:17:44 2000 Delivered-To: freebsd-isp@freebsd.org Received: from velvet.sensation.net.au (serial1-2-velvet-brunswick.sensation.net.au [203.20.114.195]) by hub.freebsd.org (Postfix) with ESMTP id E6E6537B400 for ; Wed, 29 Nov 2000 17:17:12 -0800 (PST) Received: from localhost (rowan@localhost) by velvet.sensation.net.au (8.9.3/8.9.3) with ESMTP id MAA58334 for ; Thu, 30 Nov 2000 12:16:39 +1100 (EST) (envelope-from rowan@sensation.net.au) X-Authentication-Warning: velvet.sensation.net.au: rowan owned process doing -bs Date: Thu, 30 Nov 2000 12:16:36 +1100 (EST) From: Rowan Crowe To: freebsd-isp@freebsd.org Subject: Re: tcpdump & user-ppp/tunX. Ethereal ? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 30 Nov 2000, Stanley Hopcroft wrote: > > Dear Sir, > > I am writing to say that ethereal (http://www.zing.org aka > http://www.ethereal.com/) is a very nice seven layer packet decoder > that may be suitable if you need nasty link layer stuff. > > There is a FreeBSD port of it, and while for my moneys worth, tcpdump > with ASCII decode patches (he he), is by far and way more convenient > than a relatively sluggish X application, Ethereal decodes almost every > protocol and his dog. Thanks Stanley, I don't run X on any of my machines (especially the little 486dx2-66 I want to track traffic on!) so it's not really an option... Some time ago I wrote a program which accepted the output from tcpdump and generated 4 lists ordered by: source port destination port source IP destination IP In this way it was very easy to be able to see where content was coming from, how much HTTP or SMTP traffic was coming in, which customer is receiving the most traffic, etc. I've included a sample output below. This program makes use of the apparent -e "packet size" parameter which I later discovered is not guaranteed; it works fine on 2.2.8 systems but of course breaks on later versions of tcpdump which output things a little differently. Another limitation is that it only handles UDP and TCP packets, and quietly ignores anything else. I want to adapt this program to a 3.x system. Perhaps it's time to hack tcpdump. :-) Thanks for the suggestion. 288364 packets processed; 112,318,133 bytes total; 13,087 unique connections. *** Sorted by source IP address *** Total unique entries: 2746 First 40 entries: 18,730Kb 17% 205.188.137.185 11,043Kb 10% 203.36.1.129 5,493Kb 5% 203.1.20.10 4,073Kb 3% 139.134.5.197 3,018Kb 2% 64.41.227.225 2,594Kb 2% 203.20.114.7 2,580Kb 2% 203.36.1.147 2,576Kb 2% 64.29.207.228 1,961Kb 1% 211.45.27.151 1,854Kb 1% 212.227.109.212 1,778Kb 1% 63.209.83.91 1,576Kb 1% 216.34.24.207 1,100Kb 1% 128.32.18.166 1,071Kb 0% 64.4.8.250 1,054Kb 0% 203.2.192.84 1,049Kb 0% 128.177.243.61 848Kb 0% 216.65.106.242 751Kb 0% 216.240.130.101 591Kb 0% 192.68.228.132 586Kb 0% 151.196.93.7 552Kb 0% 209.132.192.13 551Kb 0% 209.117.195.200 508Kb 0% 209.50.252.43 499Kb 0% 209.25.129.115 494Kb 0% 24.0.0.200 492Kb 0% 209.185.128.158 489Kb 0% 208.48.218.205 481Kb 0% 209.198.49.161 479Kb 0% 207.246.159.76 456Kb 0% 216.223.198.226 452Kb 0% 209.207.146.160 445Kb 0% 204.85.35.52 439Kb 0% 207.230.127.4 413Kb 0% 202.2.59.40 408Kb 0% 207.192.97.52 406Kb 0% 216.247.86.46 396Kb 0% 203.20.114.4 390Kb 0% 204.71.200.180 383Kb 0% 216.74.73.62 368Kb 0% 130.80.29.3 352Kb 0% 209.226.29.11 *** Sorted by destination IP address *** Total unique entries: 580 First 40 entries: 36,547Kb 33% 203.55.253.20 16,209Kb 14% 203.20.114.7 12,443Kb 11% 203.25.86.4 11,043Kb 10% 203.20.114.4 9,982Kb 9% 216.226.215.2 3,963Kb 3% 203.20.114.91 2,406Kb 2% 203.55.253.17 2,149Kb 1% 203.36.1.147 2,102Kb 1% 203.20.114.105 1,816Kb 1% 203.25.86.210 1,646Kb 1% 203.25.86.55 1,450Kb 1% 216.226.215.1 954Kb 0% 203.25.86.106 837Kb 0% 203.25.86.100 749Kb 0% 203.20.114.92 599Kb 0% 203.20.114.241 528Kb 0% 203.20.114.242 462Kb 0% 203.20.114.148 445Kb 0% 216.226.193.195 413Kb 0% 203.25.86.105 396Kb 0% 203.36.1.129 387Kb 0% 203.20.114.90 262Kb 0% 203.44.3.130 262Kb 0% 203.44.3.129 172Kb 0% 203.20.114.24 158Kb 0% 203.20.114.214 146Kb 0% 203.20.114.3 138Kb 0% 203.55.253.16 128Kb 0% 203.20.114.253 127Kb 0% 203.20.114.89 91Kb 0% 203.20.114.109 77Kb 0% 203.20.114.1 67Kb 0% 203.20.114.81 65Kb 0% 203.20.114.19 51Kb 0% 203.20.114.195 18Kb 0% 203.25.86.213 12Kb 0% 203.25.86.101 11Kb 0% 203.20.114.23 8Kb 0% 64.38.223.44 5Kb 0% 203.25.86.107 4Kb 0% 203.25.86.108 *** Sorted by source TCP/UDP port *** Total unique entries: 2579 First 40 entries: 70,927Kb 64% 80 11,042Kb 10% 119 5,493Kb 5% 2359 4,073Kb 3% 4896 3,885Kb 3% 3130 2,702Kb 2% 53 1,056Kb 0% 8080 1,055Kb 0% 62626 543Kb 0% 443 505Kb 0% 1863 446Kb 0% 1044 444Kb 0% 1278 262Kb 0% 14591 262Kb 0% 179 231Kb 0% 137 225Kb 0% 6666 224Kb 0% 1063 224Kb 0% 1065 194Kb 0% 1068 157Kb 0% 6667 152Kb 0% 1609 124Kb 0% 63390 120Kb 0% 1064 108Kb 0% 2587 106Kb 0% 3674 97Kb 0% 47819 66Kb 0% 64661 52Kb 0% 3924 51Kb 0% 3874 46Kb 0% 3601 46Kb 0% 3682 45Kb 0% 3647 42Kb 0% 4000 40Kb 0% 1024 40Kb 0% 1033 40Kb 0% 1835 39Kb 0% 1031 39Kb 0% 1817 38Kb 0% 3838 38Kb 0% 3771 37Kb 0% 1030 *** Sorted by destination TCP/UDP port *** Total unique entries: 3581 First 40 entries: 11,826Kb 10% 25 6,795Kb 6% 3147 6,106Kb 5% 3324 5,640Kb 5% 4299 3,893Kb 3% 3130 3,362Kb 3% 53 3,001Kb 2% 1969 2,576Kb 2% 4667 2,405Kb 2% 80 1,855Kb 1% 2270 1,292Kb 1% 3682 1,278Kb 1% 1835 1,276Kb 1% 3924 1,266Kb 1% 1817 1,254Kb 1% 3647 1,241Kb 1% 3874 1,226Kb 1% 3771 1,144Kb 1% 3838 842Kb 0% 2477 655Kb 0% 1039 649Kb 0% 1121 585Kb 0% 2189 522Kb 0% 2002 508Kb 0% 1087 421Kb 0% 4999 399Kb 0% 4003 395Kb 0% 119 390Kb 0% 4406 363Kb 0% 1947 362Kb 0% 1997 347Kb 0% 2135 312Kb 0% 8080 278Kb 0% 1833 262Kb 0% 179 262Kb 0% 14591 255Kb 0% 1352 254Kb 0% 3668 250Kb 0% 1025 249Kb 0% 3908 246Kb 0% 3818 231Kb 0% 137 Cheers. -- Rowan Crowe http://www.rowan.sensation.net.au/ Sensation Internet Services http://info.sensation.net.au/ Melbourne, Australia Phone: +61-3-9388-9260 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message